非常精彩的一篇入侵检测系统 phpids使用教程 写的真好
来源:互联网 发布:乐视电视mac码怎么查 编辑:程序博客网 时间:2024/06/07 05:41
Intrusion Detection For PHP Applications With PHPIDS
Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 06/04/2008
This tutorial explains how to set up PHPIDS on a web server with Apache2 and PHP5. PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I have tested this on a Debian Etch LAMP system with Apache2 and PHP5 and the IP address192.168.0.100. The Apache user and group on Debian Etch iswww-data, so if you are on a different distribution, the Apache user and group might be different. The location ofphp.ini (/etc/php5/apache2/php.ini on Debian Etch) might differ as well.
I'm using a virtual host with the document root /var/www/web1/web in this example.
2 Installing PHPIDS
For security reasons, I want to install PHPIDS outside of the document root, so I create the directory/var/www/web1/phpids:
mkdir /var/www/web1/phpids
Then I install PHPIDS as follows (at the time of this writing the latest version was 0.4.7) - of all the contents of thephpids-0.4.7.tar.gz file, we only need the lib/ directory:
cd /tmp
wget http://php-ids.org/files/phpids-0.4.7.tar.gz
tar xvfz phpids-0.4.7.tar.gz
cd phpids-0.4.7
mv lib/ /var/www/web1/phpids/
Now I change to the directory /var/www/web1/phpids/lib/IDS...
cd /var/www/web1/phpids/lib/IDS
... and make the tmp/ directory (which will hold the PHPIDS log file) writable for the Apache user and group:
chown -R www-data:www-data tmp/
Next we configure the PHPIDS configuration file (Config.ini):
cd Config/
vi Config.ini
I'm using the default configuration here, all I did was to adjust the paths:
; PHPIDS Config.ini; General configuration settings; !!!DO NOT PLACE THIS FILE INSIDE THE WEB-ROOT IF DATABASE CONNECTION DATA WAS ADDED!!![General] filter_type = xml filter_path = /var/www/web1/phpids/lib/IDS/default_filter.xml tmp_path = /var/www/web1/phpids/lib/IDS/tmp scan_keys = false exceptions[] = __utmz exceptions[] = __utmc; If you use the PHPIDS logger you can define specific configuration here[Logging] ; file logging path = /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt ; email logging ; note that enabling safemode you can prevent spam attempts, ; see documentation recipients[] = test@test.com.invalid subject = "PHPIDS detected an intrusion attempt!" header = "From: <PHPIDS> info@php-ids.org" safemode = true allowed_rate = 15 ; database logging wrapper = "mysql:host=localhost;port=3306;dbname=phpids" user = phpids_user password = 123456 table = intrusions; If you would like to use other methods than file caching you can configure them here[Caching] ; caching: session|file|database|memcached|none caching = file expiration_time = 600 ; file cache path = /var/www/web1/phpids/lib/IDS/tmp/default_filter.cache ; database cache wrapper = "mysql:host=localhost;port=3306;dbname=phpids" user = phpids_user password = 123456 table = cache ; memcached ;host = localhost ;port = 11211 ;key_prefix = PHPIDS ;tmp_path = /var/www/web1/phpids/lib/IDS/tmp/memcache.timestamp
3 Using PHPIDS
We will now create the file /var/www/web1/web/phpids.php which will call PHPIDS for us (we will later on prepend that file to all our PHP files so that our PHP files can make use of PHPIDS automatically):
vi /var/www/web1/web/phpids.php
<?phpset_include_path( get_include_path() . PATH_SEPARATOR . '/var/www/web1/phpids/lib' ); require_once 'IDS/Init.php'; $request = array( 'REQUEST' => $_REQUEST, 'GET' => $_GET, 'POST' => $_POST, 'COOKIE' => $_COOKIE ); $init = IDS_Init::init('/var/www/web1/phpids/lib/IDS/Config/Config.ini'); $ids = new IDS_Monitor($request, $init); $result = $ids->run(); if (!$result->isEmpty()) { // Take a look at the result object echo $result; require_once 'IDS/Log/File.php'; require_once 'IDS/Log/Composite.php'; $compositeLog = new IDS_Log_Composite(); $compositeLog->addLogger(IDS_Log_File::getInstance($init)); $compositeLog->execute($result); }?>
Now when you call that file in a browser, (e.g. http://192.168.0.100/phpids.php), you will see a blank page. But if you try to append some malicious parameters to the URL (e.g.http://192.168.0.100/phpids.php?test=%22%3EXXX%3Cscript%3Ealert(1)%3C/script%3E), PHPIDS will detect this and print its findings in the browser:
Now we have to find a way to make our PHP scripts use PHPIDS. Of course, you don't want to modify all your PHP scripts (you could have hundreds of them...). Fortunately, there's a better way: we can tell PHP to prepend a PHP script whenever a PHP script is called. For example, if we call the script info.php in a browser, PHP would first executephpids.php and then info.php, and we don't even have to modifyinfo.php.
We can do this by using PHP's auto_prepend_file parameter. We caneither set this in ourphp.ini (this is a global setting which is valid for all PHP web sites on the server),or in an.htaccess file (this is a setting valid only for the web site in question):
php.ini
Open your php.ini (e.g. /etc/php5/apache2/php.ini), and setauto_prepend_file to /var/www/web1/web/phpids.php:
vi /etc/php5/apache2/php.ini
[...]auto_prepend_file = /var/www/web1/web/phpids.php[...]
Restart Apache afterwards:
/etc/init.d/apache2 restart
.htaccess
Instead of modifying php.ini (which is a global change, i.e., the change is valid for all web sites that use PHP on the server), you can instead use an.htaccess file (so the setting would be valid only for the web site for which you create the.htaccess file):
vi /var/www/web1/web/.htaccess
php_value auto_prepend_file /var/www/web1/web/phpids.php
Please make sure that the vhost for the web site in /var/www/web1/web contains something like this (otherwise thephp_value line in the .htaccess file will be ignored) (if you have to modify the vhost, please don't forget to restart Apache):
<Directory /var/www/web1/web/>AllowOverride All</Directory>
Now we create a simple PHP file, /var/www/web1/web/info.php:
vi /var/www/web1/web/info.php
<?phpphpinfo();?>
Call that file in a browser (http://192.168.0.100/info.php), and you should see the normalphpinfo() output.
Now append some malicious parameters to the URL (e.g. http://192.168.0.100/info.php?test=%22%3EXXX%3Cscript%3Ealert(1)%3C/script%3E), and you should find a PHPIDS report before thephpinfo() output (because /var/www/web1/web/phpids.php was executed before /var/www/web1/web/info.php):
PHPIDS logs to /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt, so you should see something in the log now:
cat /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt
"192.168.0.200",2008-06-04T17:36:08+02:00,54,"xss csrf id rfe lfi","REQUEST.test=%5C%22%3EXXX%3Cscript%3Ealert%281%29%3C%2Fscript%3E GET.test=%5C%22%3EXXX%3Cscript%3Ealert%281%29%3C%2Fscript%3E",
"%2Finfo.php%3Ftest%3D%2522%253EXXX%253Cscript%253Ealert%281%29%253C%2Fscript%253E"
Now by observing that log you learn what hackers are trying to do to your PHP applications, and you can try to harden your applications.
To add another level of security, we can stop our PHP scripts from executing if PHPIDS find that they are under attack: we simply add something likedie('<h1>Go away!</h1>'); to the if (!$result->isEmpty()) {} section of the /var/www/web1/web/phpids.php script:
vi /var/www/web1/web/phpids.php
<?phpset_include_path( get_include_path() . PATH_SEPARATOR . '/var/www/web1/phpids/lib' ); require_once 'IDS/Init.php'; $request = array( 'REQUEST' => $_REQUEST, 'GET' => $_GET, 'POST' => $_POST, 'COOKIE' => $_COOKIE ); $init = IDS_Init::init('/var/www/web1/phpids/lib/IDS/Config/Config.ini'); $ids = new IDS_Monitor($request, $init); $result = $ids->run(); if (!$result->isEmpty()) { // Take a look at the result object echo $result; require_once 'IDS/Log/File.php'; require_once 'IDS/Log/Composite.php'; $compositeLog = new IDS_Log_Composite(); $compositeLog->addLogger(IDS_Log_File::getInstance($init)); $compositeLog->execute($result); die('<h1>Go away!</h1>'); }?>
If there's no attack, the scripts are executed, but if PHPIDS finds an attack, it prevents the scripts from being executed and displays a message to the hackers:
- 非常精彩的一篇入侵检测系统 phpids使用教程 写的真好
- PHPIDS入侵检测系统安装使用笔记
- 入侵检测系统的部署
- 入侵检测系统的不足
- 入侵检测初学习--常见的入侵检测系统
- 入侵检测系统和入侵防护系统的区别
- MFC中对象、句柄、ID之间的区别.---------非常经典写得真好
- 基于Snort的入侵检测系统
- 基于数据挖掘的入侵检测系统
- samhain:比较变态的入侵检测系统
- 浅析几个著名的入侵检测系统
- 6.1基于主机的入侵检测系统
- 关于入侵检测系统常用的几种检测方法
- 代码写累了,咱来笑一笑,生活真tmd的精彩
- Xunsearch的文档写的真好
- 非常经典的渗透入侵
- 非常精彩的MongoDB FAQ
- 写的真好 尤其是前七条
- 数据库中NCHAR 、CHAR等的区别
- 用Xlib库进行基本图形编程
- Apache与Tomcat 区别联系
- asp.net中的验证码
- Poco::Bugcheck
- 非常精彩的一篇入侵检测系统 phpids使用教程 写的真好
- 初学Android,使用菜单资源(十九)
- 满肚的牢骚
- 三星i9100通话质量不好声音很小怎么办?
- 免费邮件群发器
- Gabor的OpenCV代码
- JavaScript里面三个等号和两个等号的区别
- Linux 基本的 shell 命令
- 虚函数和纯虚函数的区别